Organizations managing Britain’s critical infrastructure have been warned to improve their cyber security strategies, or face fines of up to £17 million ($23.92m).

The UK’s Department for Digital, Culture, Media and Sport (DCMS) has issued guidance regarding the EU Network and Information Systems (NIS) directive, which became EU law last year, and will be adopted into UK law on 10 May 2018.

Fix it, or else

The directive applies to all organizations which rely heavily on information networks, such as transport, healthcare, water, energy and digital infrastructure companies. These are classified as “operators of essential services” (OES).

They will be expected to take “appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority.”

The text also stipulates that member states set up a computer security incident response team (CSIRT) which, in Britain’s case, will be managed by the National Cyber Security Centre (NCSC) - an agency launched last year.

Concerned organizations will be under the obligation to report serious IT system breaches to their local CSIRT.

They will also have to report to “competent authorities” (CAs) - the Secretaries of State for each industry sector, with the exception of digital service providers who will have to report to the Information Commissioner’s Office.

CAs will be tasked with determining whether a breached organization has taken appropriate measures to ensure its own security, and deciding on an “appropriate and proportionate” penalty in accordance with the offense, which may include fines and legally-binding instructions to improve security.

The CSIRT should also be notified in the event of power outages, hardware failures and environmental hazards affecting critical systems.